You’ve just learned your corporate network or cloud environment was breached. Do you know how to identify which data was compromised and where it was stored?
Launching a breach investigation generally requires that you have some sort of starting point, but knowing that starting point is not always possible. Sometimes you won’t know which data or physical asset was compromised — only that the FBI just called to tell you your corporate data was found on the Dark Web for sale, says Tyler Young, CISO at BigID, a security firm that specializes in privacy, compliance, and governance.
The source database, application, server, or storage repository needs to be determined to ensure the forensics team can ferret out any potential threat still looming in your network.
John Benkert, co-founder and CEO of data security company Cigent, recommends that if you do not know exactly what data was breached, you start evaluating systems and resources that are most critical to the organization’s operations or contain the most sensitive information. Focus on systems that are most likely to have been targeted in a breach, such as those with known vulnerabilities or weak security controls.
“When security teams are looking for compromised data, they often focus on the wrong things, such as looking for known signatures or indicators of compromise,” says Ani Chaudhuri, CEO of Dasera. “This approach can be effective for detecting known threats, but it’s less useful for finding new or advanced threats that don’t match known patterns. Instead, security teams should focus on understanding the organization’s data and how it is accessed, used, and stored.”
Keep Knowledge Current to Maintain Traceability
Young says a fundamental understanding of your assets, including data systems, identities, and people, will help you work backward if there is a breach. Through automated data discovery and classification, organizations can better understand where their sensitive data resides and who has access to it. This information can then be used to identify and prioritize security controls, such as access controls and encryption, to protect the data, he notes.
Connecting the dots between systems, people, security controls, and other identifiable assets provides the proverbial breadcrumbs back through the data breach, from data on the Dark Web to where the data originally resided on the corporate servers or in the cloud.
Having an up-to-date asset management profile, including where data is stored, which data is located in which repository, and a complete inventory of the network topology and devices, is essential.
“CISOs need to have complete visibility into their organization’s IT infrastructure, including all virtual machines, storage systems, and endpoints,” Young says.
Cigent’s Benkert identifies some common errors organizations make when investigating a breach:
- Failing to act quickly. Time is of the essence in a breach investigation, and delays in collecting forensic data allow attackers to cover their tracks, destroy evidence, or escalate their attack.
- Overwriting or modifying data. Companies might inadvertently overwrite or modify forensic data by continuing to use affected systems or conducting uncontrolled investigations.
- Lacking expertise. Collecting and analyzing forensic data requires specialized skills and tools, and companies might not have the appropriate in-house expertise to perform these tasks effectively.
- Not considering all potential sources of evidence. Companies might overlook or not fully investigate all potential sources of forensic data, such as cloud services, mobile devices, or physical media.
- Not preserving data in a forensically sound manner. To maintain the integrity of the evidence, it is important to use forensically sound methods for data acquisition and preservation. To be forensically sound, the collection process must be defensible by being consistent, repeatable, well documented, and authenticated.
- Not having a clear incident response plan. A well-defined plan can help ensure that all relevant data is collected and that the investigation is conducted in a methodical and effective manner.
“Continuous monitoring and risk detection capabilities help organizations identify anomalous or suspicious behavior that could indicate a data breach,” Dasera’s Chaudhuri notes. By monitoring data access patterns and changes to data and infrastructure, organizations can quickly detect potential threats and alert security teams to take action.
OT Breaches Present Special Concerns
Breaches of operational technology (OT) environments often throw additional challenges at forensics teams. With a traditional IT network, servers and other endpoint devices can be physically removed and taken to a law enforcement lab to be analyzed. But that is not necessarily the case in OT environments, notes Marty Edwards, deputy CTO for OT/IoT at Tenable, member of the International Society of Automation (ISA) Global Cybersecurity Alliance (GCA), and former ISA director.
In OT environments, compromised data could exist in device controllers embedded in critical infrastructure systems, such as a water treatment plant or the electric grid, that cannot be disconnected or turned off without affecting thousands of people.
Even turning over a compromised, mission-critical laptop to the FBI might require the IT team to negotiate the process of replacing the laptop to preserve its mission-critical function rather than just putting it into an evidence bag. Where OT and IT networks converge, common cyberattacks, such as ransomware, can lead to much more complex forensic investigations due to the different levels of security in network devices.
One of the difficulties is that OT systems use very customized and sometimes proprietary hardware, and the protocols are not openly published or available, Edwards notes.
“In some cases, we had to build our own tools, or we had to partner with the manufacturer or the vendor to bring in their factory tools that they don’t sell to anybody, but they use while they’re manufacturing the product,” he says.
Occasionally, customized software tools might need to be custom-built on site as the traditional forensic tools often would not work, Edwards says.
